VulnerableCode Package Details - pkg:composer/ec-cube/ec-cube@4.1.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-f13c-wzhp-cqap Aliases: CVE-2023-25077	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.
VCID-fuus-wqhf-s3be Aliases: CVE-2023-46845	Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.	4.2.3 Affected by 0 other vulnerabilities.
VCID-he32-4cf1-akf5 Aliases: CVE-2023-22438	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.
VCID-kgjm-uhbj-gffx Aliases: CVE-2023-22838	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.	4.2.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-f13c-wzhp-cqap
Aliases:
CVE-2023-25077

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Authentication Key Settings of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

VCID-fuus-wqhf-s3be
Aliases:
CVE-2023-46845

Improper Control of Generation of Code ('Code Injection') EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

4.2.3
Affected by 0 other vulnerabilities.

VCID-he32-4cf1-akf5
Aliases:
CVE-2023-22438

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Contents Management of EC-CUBE 4 series (EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0), EC-CUBE 3 series (EC-CUBE 3.0.0 to 3.0.18-p5), and EC-CUBE 2 series (EC-CUBE 2.11.0 to 2.11.5, EC-CUBE 2.12.0 to 2.12.6, EC-CUBE 2.13.0 to 2.13.5, and EC-CUBE 2.17.0 to 2.17.2) allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

VCID-kgjm-uhbj-gffx
Aliases:
CVE-2023-22838

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Cross-site scripting vulnerability in Product List Screen and Product Detail Screen of EC-CUBE 4.0.0 to 4.0.6-p2, EC-CUBE 4.1.0 to 4.1.2-p1, and EC-CUBE 4.2.0 allows a remote authenticated attacker to inject an arbitrary script.

4.2.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-mr5c-68tz-nfbn	Missing Authorization EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.	CVE-2022-25355

Vulnerability

Summary

Aliases

VCID-mr5c-68tz-nfbn

Missing Authorization EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users.

CVE-2022-25355

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:46:15.466661+00:00	GitLab Importer	Affected by	VCID-fuus-wqhf-s3be	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-46845.yml	38.6.0
2026-06-02T04:44:11.322819+00:00	GitLab Importer	Affected by	VCID-he32-4cf1-akf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22438.yml	38.6.0
2026-06-02T04:44:10.375765+00:00	GitLab Importer	Affected by	VCID-kgjm-uhbj-gffx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-22838.yml	38.6.0
2026-06-02T04:44:10.211654+00:00	GitLab Importer	Affected by	VCID-f13c-wzhp-cqap	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2023-25077.yml	38.6.0
2026-06-02T04:41:40.379277+00:00	GitLab Importer	Fixing	VCID-mr5c-68tz-nfbn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/ec-cube/ec-cube/CVE-2022-25355.yml	38.6.0